What is the PDPL and how does it affect cloud services in Saudi Arabia?

The Personal Data Protection Law (PDPL), enacted in September 2023 with a compliance grace period, is Saudi Arabia's first comprehensive data protection regulation. Key requirements include: obtaining consent for personal data processing, mandatory data breach notification to SDAIA within 72 hours, data transfer restrictions requiring adequate protection in the destination country, appointment of a data protection officer for organizations processing large-scale personal data, and data subject rights including access, correction, and deletion. The PDPL is enforced by the Saudi Data and Artificial Intelligence Authority (SDAIA).

What are Saudi Arabia's data residency requirements for cloud services?

Saudi Arabia has progressively implemented data localization requirements. The NDMO (National Data Management Office) Cloud First Policy mandates that government data be hosted within Saudi Arabia. SAMA (Saudi Arabian Monetary Authority) requires financial institutions to store critical customer data domestically. The NCA Essential Cybersecurity Controls require critical national infrastructure data to remain in-Kingdom. The PDPL allows cross-border transfers only to countries with adequate data protection or with explicit consent and contractual safeguards. These requirements have driven all major hyperscalers to establish or plan Saudi-based infrastructure.

What is STC Cloud and how does it compare to hyperscalers?

STC Cloud is the cloud services division of Saudi Telecom Company (stc), the Kingdom's largest telecommunications provider. STC Cloud offers IaaS and PaaS from Saudi-based data centers with full compliance to NDMO, NCA, and SAMA requirements. It provides managed cloud services, hybrid cloud solutions, and a strategic partnership with Alibaba Cloud through the 'eCloud' joint venture. STC Cloud's advantages include guaranteed Saudi data residency, Arabic-language support, local regulatory compliance, and direct integration with stc's network infrastructure. It competes with hyperscalers primarily on sovereignty and compliance rather than service breadth.

What is the size of the Saudi Arabian cloud computing market?

The Saudi Arabian cloud computing market reached approximately USD 4.5 billion in 2025 and is the largest cloud market in the Middle East and North Africa (MENA) region. The market is growing at a CAGR of 24.6%, among the fastest in the world, and is projected to exceed USD 10 billion by 2028. Growth is driven by Vision 2030 digital transformation mandates, government cloud-first policy, giga-project infrastructure requirements (NEOM, The Line, Red Sea), and rapid private sector digitization across banking, retail, and healthcare.

Can financial institutions in Saudi Arabia use public cloud?

Yes, SAMA (Saudi Arabian Monetary Authority, now Saudi Central Bank) issued cloud computing guidelines in 2021 permitting financial institutions to use public cloud services subject to specific conditions: critical data must be stored within Saudi Arabia, cloud providers must comply with NCA cybersecurity controls, business continuity and disaster recovery plans must be maintained, third-party risk assessments are required before cloud adoption, and SAMA must be notified of material cloud outsourcing arrangements. Saudi banks including Al Rajhi Bank, SNB (Saudi National Bank), and Riyad Bank have all adopted cloud strategies.

Cloud Services Saudi Arabia 2026: Vision 2030, STC Cloud, AWS & Enterprise Guide

Q: Which AWS region serves Saudi Arabia?

AWS does not yet have a dedicated region in Saudi Arabia but serves the Kingdom through its Middle East (Bahrain) region, me-south-1, launched in 2019 with 3 Availability Zones. AWS has announced plans for a Saudi Arabia region. Additionally, AWS has established an AWS Local Zone in Jeddah for latency-sensitive workloads. For strict Saudi data residency, enterprises use AWS Outposts deployed in Saudi data centers or partner with local providers like STC Cloud.

Q: What is the NCA cloud security framework?

The National Cybersecurity Authority (NCA) Cloud Cybersecurity Controls (CCC) is a mandatory security framework for all cloud service providers and cloud consumers operating in Saudi Arabia. The CCC comprises 4 main domains and 34 subdomains covering cloud governance, cloud security architecture, cloud security operations, and cloud compliance. Organizations using cloud services must implement the NCA CCC controls, maintain compliance documentation, and undergo periodic assessments. The framework applies to both domestic and international cloud providers serving Saudi entities.

Q: How does NEOM use cloud infrastructure?

NEOM, Saudi Arabia's USD 500 billion giga-project smart city, is being built as a cloud-native city from inception. The project includes dedicated hyperscale data centers, AI-powered city management systems running on cloud, IoT sensor networks processing millions of data points through edge and cloud computing, digital twin platforms modeling the entire city infrastructure, and autonomous transportation systems requiring real-time cloud processing. NEOM has partnerships with major cloud providers and is deploying one of the world's most advanced cloud-connected urban infrastructures.

Q: What data center infrastructure exists in Saudi Arabia?

Saudi Arabia has over 40 data center facilities with total IT power capacity exceeding 300 MW, concentrated in Riyadh, Jeddah, and the Eastern Province (Dammam/Khobar). Major operators include STC (5+ facilities), Mobily, Zain, Center3 (stc subsidiary operating carrier-neutral facilities), Khazna Data Centers, Gulf Data Hub, and Equinix (partner facilities). The Kingdom attracted over USD 3 billion in data center investment in 2024-2025, with Google, Oracle, and AWS all building or planning Saudi-based infrastructure. NEOM will add 100+ MW of dedicated data center capacity.

Q: What is the Google Cloud Dammam region?

Google Cloud launched its Dammam, Saudi Arabia region (me-central2) in 2023, making it the first major hyperscaler with a dedicated Saudi region. The region has 3 zones and supports core GCP services including Compute Engine, GKE, BigQuery, Cloud Storage, and Vertex AI. Google Cloud partnered with Aramco Digital for local cloud services. The Dammam region enables organizations to meet Saudi data residency requirements while leveraging Google Cloud's full platform capabilities, including AI/ML services, data analytics, and Kubernetes orchestration.

CLOUD INFRASTRUCTURE January 2026 28 min read Technical Depth: Expert

Table of Contents

1. Executive Summary
2. Saudi Cloud Market Overview & Vision 2030
3. Hyperscaler Presence: AWS, Azure, GCP & Oracle
4. Domestic Providers: STC Cloud, Mobily, Zain
5. Data Center Landscape & Connectivity Infrastructure
6. CITC, NDMO, NCA & Regulatory Framework
7. PDPL Data Protection & Data Residency Requirements
8. Cloud for Banking, Insurance & SAMA Compliance
9. Giga-Projects: NEOM, The Line, Red Sea Cloud Infrastructure
10. Enterprise Adoption by Tadawul-Listed Companies
11. Government Cloud & NDMO Cloud-First Policy
12. AI Cloud: SDAIA, Arabic NLP & National AI Strategy
13. Cloud Costs: Saudi vs UAE vs Bahrain
14. Energy Sector Cloud: Aramco Digital & Oil/Gas DX
15. Implementation Roadmap & Partner Selection
16. Frequently Asked Questions

1. Executive Summary

Saudi Arabia is undergoing the most ambitious national digital transformation in the Middle East, driven by Vision 2030's strategic imperative to diversify the Kingdom's economy beyond oil dependency. Cloud computing is the foundational infrastructure enabling this transformation, and the Saudi cloud market has emerged as the largest and fastest-growing in the MENA region, valued at approximately USD 4.5 billion in 2025 and expanding at a remarkable CAGR of 24.6% -- among the highest growth rates of any major cloud market globally.

The Saudi cloud ecosystem is rapidly maturing, anchored by a growing hyperscaler presence -- Google Cloud launched its Dammam region (me-central2) in 2023, Oracle Cloud opened a Jeddah region, and AWS operates from nearby Bahrain (me-south-1) while building Saudi-specific infrastructure. Domestic providers led by STC Cloud, the stc-Alibaba Cloud joint venture (eCloud), and emerging players like Mobily Cloud and Zain Cloud serve the significant portion of the market that requires in-Kingdom data residency, Arabic-language support, and compliance with Saudi-specific regulatory frameworks administered by CITC, NDMO, NCA, and SAMA.

What makes the Saudi cloud market uniquely compelling is the scale of greenfield digital infrastructure being built simultaneously. The giga-projects -- NEOM (USD 500 billion), The Line, Red Sea Global, ROSHN, Qiddiya, Diriyah Gate, and the Riyadh Metro -- represent cloud infrastructure opportunities without parallel anywhere in the world. Each project requires purpose-built cloud platforms for smart city operations, IoT sensor networks, autonomous transportation, digital twin modeling, and AI-powered management systems. This guide delivers comprehensive analysis for enterprises navigating the opportunities, regulations, and technical requirements of cloud services in the Kingdom of Saudi Arabia.

$4.5B

Saudi Cloud Market 2025

24.6%

Cloud Market CAGR

300MW

Total DC Power Capacity

$500B

NEOM Investment (Cloud-Native City)

2. Saudi Cloud Market Overview & Vision 2030

Vision 2030, the Kingdom's strategic framework for economic diversification, identifies digital transformation as a critical enabler across all sectors. The National Transformation Program and the Communications and Information Technology Commission (CITC) have established specific targets for cloud adoption, including migrating 50% of government IT workloads to cloud by 2025 and achieving 70% by 2030. These mandates, combined with private sector digitization and giga-project requirements, are driving explosive cloud growth.

Market Size and Growth

The public cloud services market in Saudi Arabia reached USD 4.5 billion in 2025, comprising IaaS at USD 1.6 billion (36%), SaaS at USD 1.8 billion (40%), and PaaS at USD 1.1 billion (24%). Government and public sector accounts for 28% of total spend -- the highest government share of any major cloud market -- followed by financial services (20%), telecommunications (14%), oil and gas (12%), and retail/e-commerce (10%). The market is projected to exceed USD 10 billion by 2028.

Vision 2030 Cloud Pillars

Government Cloud-First: NDMO mandates cloud-first for all new government IT systems, with a target of migrating existing systems to approved cloud platforms. The Unified National Platform (my.gov.sa) serving 30+ million citizens runs on cloud infrastructure.
National Data Strategy: SDAIA's (Saudi Data and AI Authority) national data strategy positions data as a national asset, with cloud infrastructure enabling cross-government data sharing, open data initiatives, and AI-powered public services.
Private Sector Digitization: The Saudi economy's rapid diversification into tourism (Red Sea, AlUla), entertainment (Qiddiya, Riyadh Season), e-commerce, and fintech creates massive cloud demand from new and expanding industries.
Giga-Project Infrastructure: NEOM, The Line, Red Sea Global, ROSHN, Qiddiya, and Diriyah Gate collectively represent USD 1+ trillion in investment, each requiring cloud-native digital infrastructure from inception.
Saudi Arabia as Regional Tech Hub: The Kingdom aspires to become the technology hub of the Middle East, attracting cloud providers, tech companies, and digital talent. Initiatives include the King Abdulaziz City for Science and Technology (KACST) partnerships and the Tuwaiq Academy coding bootcamps.

Key Market Insight

Saudi Arabia's cloud market growth rate (24.6% CAGR) is approximately double the global average and the highest among G20 nations. This growth is driven by a unique combination of massive government spending power, greenfield giga-project infrastructure, a young and digitally-native population (70% under age 35), and strategic mandates that make cloud adoption a national priority rather than merely a business decision.

Cloud Market Composition

Segment	Market Share	Growth Driver	Key Players
Government / Public Sector	28%	NDMO cloud-first mandate, e-government	STC Cloud, Google Cloud, Oracle, AWS
Financial Services	20%	SAMA digital banking, fintech licensing	AWS, Azure, STC Cloud
Telecommunications	14%	5G, IoT, edge computing	STC Cloud, Mobily, Zain
Oil & Gas / Energy	12%	Aramco Digital, upstream/downstream DX	Google Cloud, AWS, Azure
Retail / E-Commerce	10%	Saudi e-commerce boom, Noon, Jarir	AWS, GCP, Alibaba/eCloud
Healthcare	8%	Seha platform, hospital DX, telemedicine	Azure, AWS, STC Cloud
Giga-Projects	8%	NEOM, Red Sea, Qiddiya smart infrastructure	Multi-cloud (custom architectures)

3. Hyperscaler Presence: AWS, Azure, GCP & Oracle

The hyperscaler presence in Saudi Arabia has expanded rapidly as providers compete for a share of the Kingdom's high-growth cloud market. Google Cloud's 2023 launch of the Dammam region established the first major hyperscaler region within Saudi borders, followed by Oracle Cloud's Jeddah region. AWS serves the Kingdom from nearby Bahrain while developing Saudi-specific infrastructure, and Microsoft Azure operates from its UAE and Qatar regions with Saudi expansion planned.

Google Cloud Dammam -- me-central2

Google Cloud's Dammam region, launched in 2023 through a partnership with Aramco Digital, was the first major hyperscaler region to operate within Saudi Arabia. The region serves as a strategic anchor for enterprises requiring in-Kingdom data residency.

# GCP CLI: Deploy resources in Saudi Arabia (Dammam)
gcloud compute instances create production-server \
  --zone=me-central2-a \
  --machine-type=n2-standard-8 \
  --image-family=ubuntu-2204-lts \
  --image-project=ubuntu-os-cloud \
  --network=saudi-production-vpc \
  --subnet=private-app-subnet \
  --tags=production,saudi-workload \
  --labels=environment=production,region=saudi,compliance=nca

# Enable BigQuery for Saudi data analytics
bq --project_id=saudi-analytics mk \
  --dataset \
  --location=me-central2 \
  --description="Saudi production data warehouse" \
  saudi_analytics_dataset

Key characteristics of GCP me-central2 (Dammam):

Zones: 3 zones providing fault isolation within Saudi Arabia
Partnership: Strategic partnership with Aramco Digital for local operations
Key Services: Compute Engine, GKE, BigQuery, Cloud Storage, Vertex AI, Cloud Run, Dataflow
Compliance: NCA CCC compliant, NDMO approved, ISO 27001, SOC 1/2/3
Strengths: First hyperscaler in-Kingdom, Aramco ecosystem access, strong data analytics and AI
Data Residency: Full in-Kingdom data residency for all supported services

Oracle Cloud Jeddah

Oracle Cloud Infrastructure (OCI) operates a dedicated region in Jeddah, providing the full OCI service portfolio with in-Kingdom data residency. Oracle's strength in enterprise applications (Oracle ERP, HCM, SCM) gives it a unique position among Saudi enterprises already running Oracle workloads.

AWS Middle East (Bahrain) -- me-south-1 & Saudi Expansion

AWS serves the Saudi market primarily through its Bahrain region (me-south-1, 3 AZs, launched 2019). Bahrain's geographic proximity (400km from the Eastern Province) provides low-latency connectivity to Saudi enterprises. AWS has also deployed a Local Zone in Jeddah and announced plans for a full Saudi region, recognizing the data residency requirements that drive demand for in-Kingdom infrastructure.

Key characteristics of AWS me-south-1:

Availability Zones: 3 AZs in Bahrain
Key Services: Full core services including EC2, S3, RDS, Lambda, EKS, SageMaker
Latency to Saudi: 8-15ms to Dammam/Eastern Province, 20-30ms to Riyadh, 25-35ms to Jeddah
Saudi Extension: AWS Outposts available for deployment in Saudi data centers for strict data residency
Compliance: SOC 1/2/3, ISO 27001, PCI DSS, HIPAA
Strengths: Broadest service catalog, largest MENA customer base, strong financial services ecosystem

Microsoft Azure -- UAE & Qatar Regions

Azure serves Saudi Arabia from its UAE North (Dubai) and Qatar regions, with connectivity optimized for Saudi enterprise networks. Azure's strength lies in its Microsoft 365 integration, enterprise application ecosystem, and Azure OpenAI Service for Arabic-language AI workloads.

Hyperscaler Comparison for Saudi Market

Feature	GCP Dammam	Oracle Jeddah	AWS Bahrain	Azure UAE/Qatar
In-Kingdom Region	Yes (2023)	Yes (2022)	No (Bahrain + Saudi LZ)	No (UAE + Qatar)
Saudi Data Residency	Yes	Yes	Via Outposts only	Via Stack Edge only
NCA CCC Compliant	Yes	Yes	Partial (Bahrain-based)	Partial (UAE-based)
Latency to Riyadh	~5-8ms	~15-20ms	~20-30ms	~15-25ms
Local Partnership	Aramco Digital	Direct	STC (planned)	stc, Mobily
Govt. Cloud Eligible	Yes (NDMO approved)	Yes	Limited	Limited

4. Domestic Providers: STC Cloud, Mobily, Zain

Domestic cloud providers play a critical role in Saudi Arabia's cloud ecosystem, serving the substantial market segment that requires guaranteed in-Kingdom data residency, Arabic-language operational support, NDMO and NCA compliance, and alignment with government procurement frameworks. The Saudi telecom operators -- stc, Mobily, and Zain -- have each developed cloud divisions to capitalize on this demand.

STC Cloud

The cloud division of Saudi Telecom Company (stc), the Kingdom's largest telecommunications provider with 99%+ population coverage.

5+ data centers across Riyadh, Jeddah, and Dammam
NDMO approved for government cloud workloads
NCA CCC compliant with SAMA financial sector approval
Full IaaS/PaaS with VMware and OpenStack environments
Managed hybrid cloud bridging STC DCs to hyperscalers
Arabic-language 24/7 support with SLA-backed operations
Estimated 20-25% of Saudi domestic cloud market

eCloud (stc-Alibaba Cloud JV)

Joint venture between stc and Alibaba Cloud, combining Alibaba's cloud technology with stc's local infrastructure and market access.

Alibaba Cloud technology stack deployed in Saudi data centers
Full IaaS/PaaS: ECS, ApsaraDB, Function Compute, ACK
Strong in e-commerce and retail cloud (Alibaba DNA)
Arabic and Chinese language AI capabilities
In-Kingdom data residency with Alibaba's global technology
Growing adoption among Saudi e-commerce and logistics enterprises

Center3 (stc subsidiary)

stc's carrier-neutral data center subsidiary, operating wholesale colocation facilities that host both domestic and international cloud providers.

Carrier-neutral data centers in Riyadh, Jeddah, Dammam
Cloud on-ramp to major hyperscalers
100+ MW total capacity across all facilities
Meet-me-room interconnection ecosystem
Tier III+ certified facilities
Primary colocation choice for international cloud providers entering Saudi

Mobily Cloud

Etihad Etisalat (Mobily), Saudi Arabia's second-largest telecom, offering enterprise cloud services integrated with its network infrastructure.

Mobily Business cloud platform
Data centers in Riyadh and Jeddah
Managed cloud and hosting services
Azure partnership for managed Microsoft cloud
IoT platform for enterprise and industrial use cases
Focus on mid-market and SME cloud adoption

Zain Cloud

Zain Saudi Arabia's cloud and enterprise ICT division, leveraging the Zain Group's regional presence across 7 Middle East and Africa markets.

Zain Cloud infrastructure services
Edge computing integrated with Zain 5G network
Managed services including DRaaS and BaaS
AWS partnership for managed AWS services
Focus on enterprise connectivity + cloud bundles
Regional expansion capability via Zain Group network

Khazna Data Centers

UAE-based carrier-neutral data center operator expanding into Saudi Arabia, backed by Mubadala Investment Company.

Expanding into Saudi Arabia with Riyadh campus
Carrier-neutral with multi-cloud connectivity
Hyperscale-capable facilities (50+ MW per campus)
PUE target below 1.3 with advanced cooling
Strong track record in UAE (200+ MW operational)
Focus on hyperscaler and enterprise colocation

5. Data Center Landscape & Connectivity Infrastructure

Saudi Arabia's data center market is experiencing unprecedented growth, with over USD 3 billion invested in new capacity during 2024-2025. The Kingdom currently operates 40+ data center facilities with total IT power capacity exceeding 300 MW, concentrated in Riyadh, Jeddah, and the Eastern Province. This capacity is projected to double by 2028 as hyperscalers, colocation operators, and giga-projects bring new facilities online.

Submarine Cable Connectivity

AAE-1 (Asia-Africa-Europe-1) -- 25,000 km, connecting Saudi Arabia (Jeddah) through Southeast Asia, India, Middle East to France. 40 Tbps capacity.

SEA-ME-WE 5 -- Connects Saudi Arabia to Southeast Asia, South Asia, Middle East, and Europe. 24 Tbps capacity. Major upgrade from SEA-ME-WE 3/4.

FALCON -- FLAG Alcatel Lucent Optical Network, connecting Saudi Arabia to India, East Africa, and Europe via the Red Sea and Mediterranean.

Jeddah-Djibouti (JD) Cable -- Short-haul submarine cable connecting Jeddah to Djibouti, providing connectivity to East Africa and onward cable systems.

IMEWE (India-Middle East-Western Europe) -- Connecting Saudi Arabia (Jeddah) to India, UAE, Pakistan, and France. 3.84 Tbps capacity.

Saudi Vision Cable -- Planned next-generation cable connecting Saudi Arabia's Red Sea coast to Mediterranean markets, supporting NEOM connectivity.

Blue & Raman -- Google-backed cables connecting Saudi Arabia to India, Israel, and Italy. Significant new capacity for Middle East connectivity.

2Africa -- Meta-led 45,000 km cable system circling Africa with landing in Saudi Arabia (Jeddah), providing 180+ Tbps capacity and connectivity to 33 countries.

300+

MW Total IT Power

40+

Data Center Facilities

$3B+

DC Investment 2024-25

Submarine Cable Systems

6. CITC, NDMO, NCA & Regulatory Framework

Saudi Arabia's cloud regulatory framework involves multiple government entities, each responsible for different aspects of cloud governance. Understanding the interplay between these regulators is essential for any cloud deployment in the Kingdom.

Key Regulatory Bodies

CITC (Communications, Space and Technology Commission): The primary telecommunications regulator, responsible for licensing cloud service providers, spectrum management, and oversight of communications infrastructure. CITC's Cloud Computing Regulatory Framework establishes the licensing and operational requirements for cloud providers in Saudi Arabia.
NDMO (National Data Management Office): Under SDAIA, NDMO establishes data governance policies including the Cloud First Policy mandating government cloud adoption, data classification standards, and data sharing frameworks. NDMO maintains the list of approved cloud service providers for government use.
NCA (National Cybersecurity Authority): Issues the Essential Cybersecurity Controls (ECC) and Cloud Cybersecurity Controls (CCC) that all organizations must implement. NCA's framework applies to both cloud providers and cloud consumers, with specific controls for critical national infrastructure.
SAMA (Saudi Central Bank): Regulates cloud usage by financial institutions through its Cloud Computing Guidelines, Cyber Security Framework, and Outsourcing Guidelines. SAMA approval is required before banks and insurance companies can deploy material workloads to cloud.
SDAIA (Saudi Data and AI Authority): Oversees the PDPL (Personal Data Protection Law) and national AI strategy, with authority over data protection enforcement, AI governance, and national data strategy implementation.

Regulatory Compliance Checklist

Cloud deployments in Saudi Arabia must satisfy: (1) CITC cloud provider licensing requirements, (2) NCA ECC/CCC cybersecurity controls for both provider and consumer, (3) NDMO data classification and cloud-first compliance for government workloads, (4) PDPL data protection requirements administered by SDAIA, and (5) sector-specific regulations from SAMA (financial), MOH (healthcare), or MOENR (energy). International compliance certifications (ISO 27001, SOC 2) complement but do not replace Saudi-specific requirements.

NCA Cloud Cybersecurity Controls (CCC)

# NCA CCC Compliance Architecture (GCP me-central2 / Dammam)
# ============================================================

# Domain 1: Cloud Governance (CCC 1-1 through 1-8)
governance:
  cloud_security_policy: "Documented, board-approved cloud security policy"
  risk_assessment: "Annual cloud-specific risk assessment per NCA methodology"
  compliance_monitoring: "Continuous compliance monitoring dashboard"
  third_party_assessment: "Annual third-party security assessment of CSP"

# Domain 2: Cloud Security Architecture (CCC 2-1 through 2-12)
architecture:
  network_segmentation:
    vpc: "10.0.0.0/16 (me-central2)"
    private_subnets: ["10.0.1.0/24", "10.0.2.0/24"]  # App tier
    database_subnets: ["10.0.10.0/24", "10.0.11.0/24"] # Data tier
    dmz_subnets: ["10.0.100.0/24"]  # Load balancer only
  encryption:
    at_rest: "AES-256 with customer-managed keys (Cloud KMS)"
    in_transit: "TLS 1.3 enforced on all endpoints"
    key_management: "Cloud KMS with automatic 90-day rotation"
  identity:
    authentication: "Cloud Identity + Saudi National SSO integration"
    authorization: "IAM with principle of least privilege"
    mfa: "Mandatory for all administrative access"

# Domain 3: Cloud Security Operations (CCC 3-1 through 3-8)
operations:
  monitoring: "Cloud Operations Suite with Arabic-language alerting"
  incident_response: "NCA-aligned incident response plan with 4-hour SLA"
  vulnerability_management: "Weekly scans, 72-hour critical patch SLA"
  logging: "Cloud Audit Logs, 5-year retention, immutable storage"

# Domain 4: Cloud Compliance (CCC 4-1 through 4-6)
compliance:
  data_residency: "All data stored in me-central2 (Saudi Arabia)"
  data_classification: "NDMO 4-tier classification applied to all assets"
  audit_trail: "Complete API audit trail with Cloud Audit Logs"
  regulatory_access: "NCA and CITC audit access provisions in CSP contract"

7. PDPL Data Protection & Data Residency Requirements

The Personal Data Protection Law (PDPL), enacted by Royal Decree in September 2023 with a compliance grace period extending to September 2024, is Saudi Arabia's first comprehensive data protection legislation. Enforced by SDAIA, the PDPL establishes individual data rights, organizational obligations, and cross-border transfer restrictions that directly impact cloud architecture decisions.

Key PDPL Requirements

Lawful Basis for Processing: Personal data may only be processed with the data subject's consent or under specific legal exceptions including contractual necessity, legal obligation, vital interests, and legitimate public interest.
Data Minimization: Organizations must collect only the personal data necessary for the specified purpose and may not retain it beyond the period required for that purpose.
Cross-Border Transfer: Transfer of personal data outside Saudi Arabia is permitted only if the receiving country provides an adequate level of data protection (as determined by SDAIA), or if the transfer is necessary for treaty obligations, Saudi interests, or contract performance. Blanket consent for cross-border transfers is not sufficient.
Breach Notification: Data controllers must notify SDAIA of personal data breaches within 72 hours and notify affected individuals without undue delay if the breach is likely to result in harm.
Data Protection Officer: Organizations processing personal data in large volumes must appoint a data protection officer and register with SDAIA.
Penalties: Violations may result in fines up to SAR 5 million (approximately USD 1.33 million) and imprisonment for up to 2 years for specific offenses.

Data Residency Landscape

Sector	Regulator	Data Residency Requirement	Cloud Implication
Government	NDMO / NCA	All government data must reside in Saudi Arabia	Saudi-based cloud region mandatory (GCP Dammam, Oracle Jeddah, or domestic)
Financial Services	SAMA	Critical customer data must remain in Kingdom	In-Kingdom cloud or AWS Outposts; non-critical can be regional
Healthcare	MOH / NHRA	Patient records must be stored domestically	Saudi cloud region required for clinical systems
Telecommunications	CITC	Subscriber data and CDRs must remain in Saudi	Domestic cloud mandatory for telco systems
Critical Infrastructure	NCA	Critical national infrastructure data must be in-Kingdom	Domestic cloud or on-premises; no offshore permitted
General Commercial	SDAIA (PDPL)	Cross-border transfer requires adequacy or consent	Saudi region preferred; regional possible with compliance measures

8. Cloud for Banking, Insurance & SAMA Compliance

Saudi Arabia's financial sector, regulated by SAMA (Saudi Central Bank), is rapidly adopting cloud services as part of the broader financial sector transformation. The Kingdom's banking sector comprises 30+ licensed banks and financial institutions, including the Saudi National Bank (SNB, the largest bank in the Middle East by assets following the NCB-Samba merger), Al Rajhi Bank (the world's largest Islamic bank), and Riyad Bank, alongside a growing fintech ecosystem licensed under SAMA's Sandbox Regulatory Framework.

Bank Cloud Adoption

Saudi National Bank (SNB): Multi-cloud strategy with AWS and Azure for digital banking channels, customer analytics, and regulatory reporting. Internal private cloud on STC infrastructure for core banking. Cloud spending estimated at SAR 800 million annually.
Al Rajhi Bank: AWS-first strategy for digital transformation, with one of the most advanced cloud-native mobile banking platforms in the Middle East. Machine learning-powered Sharia-compliant product recommendation engine on SageMaker. 18+ million active digital banking users.
Riyad Bank: Azure primary for enterprise modernization and Microsoft 365 integration. Google Cloud for data analytics and AI. Riyad Bank's digital banking platform Riyad Online serves 8+ million customers on cloud infrastructure.
stc pay (now stc Bank): Saudi Arabia's leading digital wallet and newly licensed digital bank, running entirely on cloud-native infrastructure. Serves 12+ million users with cloud-based payment processing, KYC, and financial services.

SAMA Cloud Guidelines

SAMA's framework requires financial institutions to:

Conduct a comprehensive risk assessment before adopting cloud services
Ensure critical customer data remains within Saudi Arabia
Implement NCA cybersecurity controls for all cloud environments
Maintain business continuity with defined RPO/RTO for cloud-hosted financial systems
Notify SAMA of material cloud outsourcing arrangements
Ensure regulatory audit access to cloud service providers
Implement encryption for data at rest and in transit per SAMA standards

9. Giga-Projects: NEOM, The Line, Red Sea Cloud Infrastructure

Saudi Arabia's giga-projects represent the most extraordinary greenfield cloud infrastructure opportunity in the world. These projects are not retrofitting digital capabilities onto existing infrastructure -- they are building entire cities, resorts, and entertainment districts as cloud-native environments from the ground up, with digital infrastructure designed before physical construction begins.

NEOM Cloud Infrastructure

NEOM, the USD 500 billion mega-city project in northwest Saudi Arabia, is being designed as the world's most advanced cloud-connected urban environment. NEOM's digital infrastructure requirements include:

Hyperscale Data Centers: Purpose-built data centers within NEOM providing 100+ MW of IT capacity, powered by renewable energy (solar and wind) from NEOM's planned 100% clean energy grid.
City Operating System: A cloud-based city management platform processing data from millions of IoT sensors, managing autonomous transportation, energy distribution, water systems, and public safety through a unified digital command center.
Digital Twin: A comprehensive digital twin of the entire NEOM development, running on cloud infrastructure, enabling real-time simulation of urban systems, construction progress monitoring, and predictive infrastructure maintenance.
AI-Powered Services: Cloud-hosted AI systems for personalized citizen services, predictive healthcare, adaptive education, and intelligent building management across NEOM's residential, commercial, and industrial zones.
The Line: NEOM's 170km linear city concept requires continuous cloud connectivity along its entire length, with edge computing nodes every 500 meters supporting autonomous mobility, real-time environmental monitoring, and building management for 9 million planned residents.

Other Giga-Project Cloud Requirements

Giga-Project	Investment	Cloud Use Cases	Status
NEOM / The Line	$500B	City OS, digital twin, autonomous transport, AI services	Under construction
Red Sea Global	$10B+	Smart resort management, marine conservation monitoring, guest experience	Phase 1 operational
Qiddiya	$8B+	Entertainment tech, gaming cloud, event management, visitor analytics	Under construction
Diriyah Gate	$20B+	Smart heritage site management, AR/VR tourism, visitor flow	Phase 1 underway
ROSHN	$50B+	Smart community management, IoT home automation, resident services	Multiple phases active
Riyadh Metro	$23B	Real-time operations management, passenger information, predictive maintenance	Operational 2024

10. Enterprise Adoption by Tadawul-Listed Companies

The Saudi Exchange (Tadawul), the largest stock exchange in the Middle East by market capitalization, provides insight into cloud adoption among the Kingdom's most significant enterprises. Cloud adoption has accelerated across all sectors, driven by Vision 2030 mandates, competitive pressure, and the availability of in-Kingdom cloud infrastructure.

Energy Sector

Saudi Aramco: The world's most valuable company has partnered with Google Cloud (Aramco Digital) for cloud analytics and AI, AWS for compute workloads, and maintains extensive private cloud infrastructure. Aramco's Fourth Industrial Revolution Center drives AI-powered predictive maintenance across 50+ production facilities.
SABIC: Multi-cloud strategy for chemical manufacturing optimization, supply chain management, and sustainability reporting. AWS and Azure for different workload categories. SAP S/4HANA migration to cloud underway.

Financial Services

Saudi National Bank (SNB): Largest bank in MENA, multi-cloud approach with investment in AI-powered banking services, digital onboarding, and real-time fraud detection on cloud.
Al Rajhi Bank: Leading Islamic bank with one of the most advanced cloud-native mobile banking platforms, serving 18+ million digital users.

Telecommunications

stc Group: Saudi Arabia's largest telecom and the parent company of STC Cloud. Dual role as cloud provider and cloud consumer. stc's consumer and enterprise services run on STC Cloud and hyperscaler infrastructure. 5G rollout leveraging edge cloud across the Kingdom.
Mobily: Enterprise cloud services for its business customers, with partnership model offering Azure managed services.

11. Government Cloud & NDMO Cloud-First Policy

Saudi Arabia's government cloud program is among the most ambitious in the world, driven by NDMO's Cloud First Policy that mandates government agencies to prioritize cloud for all new IT deployments and progressively migrate existing systems. Government cloud spending represents 28% of the total Saudi cloud market -- the highest government concentration of any major cloud market globally.

National Government Cloud Platforms

NDMO Government Cloud: Centralized cloud platform approved for government data hosting, with pre-assessed providers including STC Cloud, Google Cloud (Dammam), and Oracle Cloud (Jeddah). Government agencies can procure cloud services through NDMO framework agreements.
Unified National Platform (my.gov.sa): Saudi Arabia's e-government super-app, serving 30+ million residents with 6,000+ government services from 370+ agencies, running on scalable cloud infrastructure.
Absher: The Ministry of Interior's digital services platform processing 250+ million transactions annually for identity management, visa services, and law enforcement -- hosted on secure government cloud.
Tawakkalna: Initially deployed for COVID-19 health management, evolved into a comprehensive digital identity and government services platform with 27+ million users, running on cloud infrastructure.

370+

Govt Agencies on Cloud

6,000+

E-Government Services

30M+

my.gov.sa Users

70%

Govt Cloud Target 2030

12. AI Cloud: SDAIA, Arabic NLP & National AI Strategy

Saudi Arabia has positioned artificial intelligence as a cornerstone of Vision 2030's economic diversification strategy. SDAIA (Saudi Data and Artificial Intelligence Authority), established in 2019, oversees the National Strategy for Data and AI (NSDAI) which aims to make Saudi Arabia a global AI leader. The cloud infrastructure requirements for AI -- particularly GPU compute for training Arabic-language models -- are driving significant cloud investment.

National AI Initiatives

SDAIA ALLaM: Saudi Arabia's Arabic large language model, trained on the largest Arabic text corpus ever assembled. Available through SDAIA's AI platform for government and enterprise use, deployed on Saudi-based GPU cloud infrastructure.
National Center for AI (NCAI): Operates under SDAIA, providing cloud-based AI research infrastructure, AI talent development through Tuwaiq Academy, and AI adoption consulting for government agencies and enterprises.
Saudi AI Compute: Government investment in sovereign GPU cloud infrastructure, including partnerships with NVIDIA for dedicated AI supercomputing clusters based in Saudi Arabia, ensuring AI training data does not leave the Kingdom.
AI Ethics Framework: SDAIA has published AI governance principles and ethics guidelines that apply to all AI deployments in the Kingdom, including cloud-hosted AI services. Compliance is mandatory for government AI applications.

13. Cloud Costs: Saudi vs UAE vs Bahrain

Cloud pricing in the Middle East reflects the region's emerging status in global cloud infrastructure, with costs generally 15-25% higher than mature APAC markets. Within the GCC, pricing varies based on provider, in-country versus offshore regions, and the premium associated with data residency compliance.

Regional Cost Comparison

Service	Saudi (GCP Dammam)	UAE (Azure Dubai)	Bahrain (AWS me-south-1)
n2-standard-4 / D4s v5 / m6i.xlarge	~$0.235	~$0.228	~$0.222
Object Storage (per GB/month)	$0.026	$0.025	$0.025
Data Transfer Out (per GB)	$0.12	$0.12	$0.117
Managed Database (4vCPU, per hour)	~$0.280	~$0.270	~$0.260
Kubernetes Cluster (per hour)	$0.10	Free (AKS)	$0.10

Cost Optimization for Saudi Cloud

1. Data Residency Premium: In-Kingdom regions carry a 5-10% premium over Bahrain/UAE; accept this for compliant workloads, route non-regulated workloads to lower-cost regions. 2. Committed Use Discounts: GCP committed use contracts (1-3 years) save 37-55% on Dammam region compute. 3. Domestic Providers: STC Cloud pricing can be competitive for standard workloads, especially with multi-year contracts and bundled network services. 4. Government Procurement: NDMO framework agreements offer pre-negotiated cloud pricing for government entities. 5. Off-Peak Compute: Saudi weekday peak is Sunday-Thursday; leverage spot/preemptible instances during Thursday evening through Saturday for batch processing workloads.

14. Energy Sector Cloud: Aramco Digital & Oil/Gas DX

Saudi Arabia's energy sector, dominated by Saudi Aramco (the world's most valuable company and largest oil producer), is a massive cloud computing consumer. The digital transformation of oil and gas operations -- from upstream exploration and production to downstream refining and distribution -- requires cloud infrastructure at extraordinary scale.

Aramco Digital

Aramco Digital, the technology subsidiary of Saudi Aramco, operates as both a cloud consumer (for Aramco's internal operations) and a cloud enabler (through its Google Cloud partnership). Key initiatives include:

Google Cloud Partnership: Aramco Digital is the exclusive partner for Google Cloud in Saudi Arabia, operating joint cloud services from the Dammam region. This partnership provides Aramco and the broader Saudi enterprise market with Google's full cloud platform with in-Kingdom data residency.
Fourth Industrial Revolution Center (4IRC): Aramco's 4IRC deploys AI and IoT across 50+ production facilities, using cloud-based machine learning for predictive maintenance, production optimization, and safety monitoring. Processes 1+ petabyte of operational data daily.
Digital Drilling: Cloud-based drilling optimization platform using real-time sensor data from drill rigs, satellite imagery, and geological models to optimize drilling operations and reduce non-productive time by 30-40%.
Supply Chain Cloud: Aramco's procurement platform (managing USD 40+ billion in annual procurement) runs on cloud infrastructure, connecting 10,000+ suppliers through digital workflows.

15. Implementation Roadmap & Partner Selection

Deploying cloud services in Saudi Arabia requires careful navigation of the Kingdom's multi-layered regulatory environment, domestic provider landscape, and unique business practices. The following roadmap addresses Saudi-specific considerations.

Phase 1: Assessment and Planning (6-10 weeks)

Data classification per NDMO standards (public, internal, confidential, top secret)
NCA CCC gap assessment for cybersecurity control compliance
SAMA compliance assessment if serving financial sector
Data residency mapping -- identify all data requiring in-Kingdom hosting
Provider evaluation: in-Kingdom (GCP Dammam, Oracle Jeddah, STC Cloud) vs. regional (AWS Bahrain, Azure UAE/Qatar)
PDPL compliance framework establishment

Phase 2: Foundation (8-14 weeks)

Landing zone deployment in Saudi-based region (GCP me-central2 or Oracle Jeddah) with NCA CCC compliant architecture
Encryption implementation per NCA standards with customer-managed keys
Arabic-language monitoring, alerting, and documentation
Integration with Saudi national platforms (Nafath digital identity, Elm services) where applicable
CI/CD pipeline with Saudi regulatory compliance checks built in

Phase 3: Migration and Deployment (12-36 weeks)

Wave 1: Development/test environments and internal collaboration tools
Wave 2: Customer-facing web and mobile applications
Wave 3: Financial and regulated workloads (SAMA compliance validation)
Wave 4: Government-facing services (NDMO compliance validation)
Wave 5: AI/ML workloads and Arabic-language model deployment

Phase 4: Optimization (Ongoing)

FinOps with SAR-denominated dashboards and Saudi fiscal year alignment
NCA CCC annual compliance assessment
PDPL ongoing compliance monitoring and breach readiness testing
Arabic AI model performance optimization and sovereign AI expansion

Seraphim Vietnam: Your APAC-Middle East Cloud Partner

Seraphim Vietnam delivers enterprise cloud architecture, migration, and managed services across APAC and the Middle East, including Saudi Arabia. Our team holds advanced certifications across AWS, Azure, and GCP, with expertise in NCA cybersecurity controls, NDMO data governance, SAMA financial compliance, and multi-cloud architectures bridging Saudi in-Kingdom requirements with global operations. Whether you are deploying cloud infrastructure for Vision 2030 initiatives, building giga-project digital platforms, or migrating enterprise workloads to Saudi-based cloud regions, we provide the technical depth and cross-regional expertise your project demands. Contact us for a Saudi Arabia cloud assessment.

16. Frequently Asked Questions

Which AWS region serves Saudi Arabia?

AWS serves Saudi Arabia primarily through its Middle East (Bahrain) region, me-south-1, launched in 2019 with 3 Availability Zones. AWS also operates a Local Zone in Jeddah for latency-sensitive workloads and offers AWS Outposts for deployment in Saudi data centers to meet strict data residency requirements. AWS has announced plans for a full Saudi Arabia region.

What is the PDPL and how does it affect cloud services?

The Personal Data Protection Law (PDPL), enacted in September 2023, is Saudi Arabia's comprehensive data protection regulation enforced by SDAIA. It requires consent for data processing, mandates 72-hour breach notification, restricts cross-border data transfers to countries with adequate protection, and imposes penalties up to SAR 5 million. Cloud providers and consumers must implement PDPL-compliant data handling practices.

What are Saudi Arabia's data residency requirements?

Saudi Arabia has strict data residency requirements across multiple sectors: NDMO mandates government data remain in-Kingdom, SAMA requires critical financial data to be stored domestically, NCA requires critical infrastructure data to stay in Saudi Arabia, and the PDPL restricts cross-border transfers. These requirements have driven hyperscalers to establish Saudi-based regions and local zones.

What is STC Cloud?

STC Cloud is the cloud division of Saudi Telecom Company (stc), offering IaaS, PaaS, and managed cloud services from Saudi-based data centers. It is NDMO-approved for government workloads, NCA CCC compliant, and SAMA-approved for financial services. STC Cloud also operates the eCloud joint venture with Alibaba Cloud for international-grade cloud services with Saudi data residency.

What is the size of the Saudi cloud market?

The Saudi cloud market reached approximately USD 4.5 billion in 2025, the largest in MENA, growing at 24.6% CAGR. It is projected to exceed USD 10 billion by 2028. Government spending represents 28% of the market, the highest government concentration of any major cloud market globally.

What is the NCA cloud security framework?

The NCA Cloud Cybersecurity Controls (CCC) is a mandatory framework covering cloud governance, security architecture, security operations, and compliance. Both cloud providers and cloud consumers must implement CCC controls. The framework applies to domestic and international cloud providers serving Saudi entities and is assessed through periodic audits.

How does NEOM use cloud infrastructure?

NEOM is being built as a cloud-native city with dedicated hyperscale data centers, a cloud-based city operating system, comprehensive digital twin platforms, AI-powered citizen services, and edge computing nodes along The Line's 170km length. It represents the world's most advanced greenfield cloud infrastructure deployment.

Can Saudi banks use public cloud?

Yes, SAMA guidelines permit public cloud use subject to conditions: critical data must remain in Saudi Arabia, NCA cybersecurity controls must be implemented, business continuity plans are required, and SAMA must be notified of material cloud outsourcing. Saudi banks including SNB, Al Rajhi, and Riyad Bank have adopted multi-cloud strategies.

What data center infrastructure exists in Saudi Arabia?

Saudi Arabia has over 40 data center facilities with 300+ MW total capacity, concentrated in Riyadh, Jeddah, and Dammam. Major operators include STC/Center3, Google Cloud, Oracle, Gulf Data Hub, and Khazna. Over USD 3 billion was invested in Saudi data centers in 2024-2025, with capacity projected to double by 2028.

What is the Google Cloud Dammam region?

Google Cloud launched its Dammam region (me-central2) in 2023 through a partnership with Aramco Digital. It has 3 zones supporting core GCP services including Compute Engine, GKE, BigQuery, Cloud Storage, and Vertex AI. It was the first major hyperscaler with a dedicated Saudi region, enabling in-Kingdom data residency on Google Cloud.